That's only possible if Microsoft signs a public key the distro owner controls and then embeds it inside a special build of their shim. In that case the distro owner can distribute any Linux Kernel they want, but they need authorization from Microsoft beforehand. Therefore you can't publish a UEFI Linux desktop without being in league with the adversary.